Texas Health Agency Hit with $1.6M Fine After Data Breach

The United States federal government imposed a massive $1.6 million fine on the Texas Health and Human Services Commission. The fine imposed by the nation comes after the healthcare agency exposed patients to a data breach.

According to the news release by the U.S. Department of Health and Human Services, the commission violated the HIPAA. The Health Insurance Portability and Accountability Act of 1996 calls for privacy and security of information. The news release dated November 7, 2019, states that the Texas commission (TX HHSC) violated this act.

In a statement, OCR Director Roger Severino said, “covered entities need to know who can access protected health information. No one should have to worry about their private health information being discoverable through Google search,” says Severino.

Texas Health Agency Data Breach


Though the service provider leaked sensitive details on its patients, InfoSecurity Magazine reports that the Texan-based agency was still fined.

Upon closer look at the OCR, the agency discovered TX HHSC’s lack of auditing and security measures. Apart from these, the OCR also found the TX HHSC guilty from its failure to conduct an “enterprise-wide risk analysis.”

In response to the fines and allegations posed to the company, spokesperson Kelli Weldon issued a statement. Weldon said, “we are continually examining ways to strengthen our processes for the health and safety of Texans.”

Prior to restructuring its organization, the TX HHSC was previously known as the Department of Aging and Disability Services (DADS). The company reorganization only occurred last September 2017.

Details of the Incident

The TX HHSC, then DADS, was involved in a data breach that dates back to June 11, 2015. DAS filed an incident report with the Office for Civil Rights (OCR). The report said that the treatment information of customers was accessible over the Internet.


The data security breach stemmed from a company database. A company worker reportedly moved an internal application to a private server. Following the move, the company encountered a vulnerability in the system.

The flaw allowed access to the electronic protected health information (ePHI) without proper credentials. According to InfoSecurity Magazine, approximately 6,617 people were affected.

Compromised data include customer names, addresses, Social Security numbers, and treatment information. Those affected by the breach are customers whose names were already in the database from 2013 to 2017, says InfoSecurity.

The Texas Health and Human Services Commission is the second recipient of a million-dollar fine from the government. The University of Rochester Medical Center was also meted $3 million fine after the company’s mobile device encryption fail.